ECS integration Compose features
Compose - Amazon ECS mapping
This document outlines the conversion of an application defined in a Compose file to AWS resources. Each service is mapped to an ECS service in the project’s cluster.
Compose fields mapping
The table below lists supported Compose file fields and their AWS counterparts.
Legend:
- ✓: Implemented
- n: Not yet implemented
- x: Not applicable / no available conversion
| Keys | Map | Notes |
|---|---|---|
| Service | ✓ | |
| service.service.build | x | Ignored. No image build support on AWS. |
| service.cap_add, cap_drop | ✓ | Supported with Fargate limitations |
| service.command | ✓ | |
| service.configs | x | |
| service.cgroup_parent | x | |
| service.container_name | x | |
| service.credential_spec | x | |
| service.deploy | ✓ | |
| service.deploy.endpoint_mode | x | |
| service.deploy.mode | x | |
| service.deploy.replicas | ✓ | Set service initial scale. Auto-scaling, when enabled, will make this dynamic |
| service.deploy.placement | ✓ | Used with EC2 support to select a machine type and AMI |
| service.deploy.update_config | ✓ | |
| service.deploy.resources | ✓ | Fargate resource is selected with the lowest instance type for configured memory and cpu |
| service.deploy.restart_policy | ✓ | |
| service.deploy.labels | ✓ | |
| service.devices | x | |
| service.depends_on | ✓ | Implemented using CloudFormation Depends_on |
| service.dns | x | |
| service.dns_search | x | |
| service.domainname | x | |
| service.tmpfs | x | Not supported on Fargate, see https://github.com/docker/compose-cli/issues/839 |
| service.entrypoint | ✓ | |
| service.env_file | ✓ | |
| service.environment | ✓ | |
| service.expose | x | |
| service.extends | ✓ | |
| service.external_links | x | |
| service.extra_hosts | x | |
| service.group_add | x | |
| service.healthcheck | ✓ | This configures container level health check as reported on ECS console. Application Load Balancer will also check for HTTP service health by accessing / and expect a HTTP 200 status code. |
| service.hostname | x | |
| service.image | ✓ | Private images will be accessible by passing x-aws-pull_policy with ARN of a username+password secret |
| service.isolation | x | |
| service.labels | x | |
| service.links | x | |
| service.logging | ✓ | Can be used to customize CloudWatch Logs configuration |
| service.network_mode | x | |
| service.networks | x | Communication between services is implemented by SecurityGroups within the application VPC. |
| service.pid | x | |
| service.ports | ✓ | Only symetrical port mapping is supported in ECS. See Exposing ports. |
| service.secrets | ✓ | See Secrets. |
| service.security_opt | x | |
| service.stop_grace_period | x | |
| service.stop_signal | x | |
| service.sysctls | x | |
| service.ulimits | ✓ | Only support nofile ulimit due to Fargate limitations |
| service.userns_mode | x | |
| service.volumes | ✓ | Mapped to EFS File Systems. See Persistent volumes. |
| service.restart | x | Replaced by service.deployment.restart_policy |
| Volume | x | |
| driver | ✓ | See Persistent volumes. |
| driver_opts | ✓ | |
| external | ✓ | name must be an EFS filesystem ID |
| labels | x | |
| Secret | x | |
| external | ✓ | name must be set to secret’s ARN |
| file | ✓ | file content will be uploaded into AWS Secret Manager |
| Config | x | |
Logs
Application logs can be obtained container with docker compose logs.
The Docker ECS integration relies on AWS CloudWatch Logs to collect logs from all containers. CloudWatch can be customized by setting service logging.driver_opts
by passing configuration attributes prefixed with awslogs-.
test:
image: mycompany/webapp
logging:
driver-opts:
awslogs-datetime-pattern: "some-pattern"
Exposing ports
When one or more services expose ports, a Load Balancer is created for the application. As all services are exposed through the same Load Balancer, only one service can expose a given port number. The source and target ports defined in the Compose file MUST be the same, as service-to-service communication don’t go through the Load Balancer and could not benefit from Listeners abstraction to assign a distinct published port.
If services in the Compose file only expose ports 80 or 443, an Application Load Balancer is created, otherwise ECS integration will provision a Network Load Balancer.
HTTP services using distinct ports can force use of an ALB by claiming the http protocol with x-aws-protocol custom extension within the port declaration:
test:
image: mycompany/webapp
ports:
- target: 8080
x-aws-protocol: http
Persistent volumes
Docker volumes are mapped to EFS file systems. Volumes can be external (name must then be set to filesystem ID) or will be created when the application is
first deployed. docker compose down will NOT delete the filesystem, and it will be re-attached to the application on future runs.
driver_opts can be used to tweak the EFS filsystem.
Volume mount can be customized to workaround Posix filesystem permission issues by setting user and group IDs to be used to write to filesystem, whatever user is configured to run the container.
services:
myservice:
image: mycompany/webapp
volumes:
- mydata:/mount/testvolumes
volumes:
mydata:
driver_opts:
performance-mode: maxIO
throughput-mode: bursting
uid: 0
gid: 0
Secrets
Secrets can be defined in compose files, and will need secret files available at deploy time next to the compose file.
The content of the secret file will be made available inside selected containers, by default under /run/secrets/<SECRET_NAME>.
External secrets are also supported, name must then be set to secret’s ARN
services:
nginx:
image: mycompany/webapp
secrets:
- mysecret
secrets:
mysecret:
file: ./my_secret1.txt
Container Resources
CPU and memory limits can be set in compose. Those are used to select the minimal Fargate size that will match those limits.
services:
nginx:
image: mycompany/webapp
deploy:
resources:
limits:
cpus: '0.5'
memory: 2Gb